This model should be rephrased a bit to make it more clear what the
requirements are. E.g. I think if you use POST it should not be a MAY but
a MUST that 500 is returned.
Also what are the security errors you can get a 500 for? Are they not
handled by 403? I think handling them with 403 is counter to how they are
handled elsewhere though. Usually any kind of error is handled as a
generic network error. I think it might be better to simply use 200 if the
method was GET and 500 for everything else. You should probably also state
what needs to happen with user/password arguments and maybe add a note
that request headers are ignored. Furthermore, it has a note of sorts that
you can expect a Content-Type header in the response, but it should be
more detailed about what getAllResponseHeaders() will return. I.e. give a
more complete definition of the response.
--
Anne van Kesteren
http://annevankesteren.nl/
